Verified Attribute Schema

From IIW

Issue/Topic: Verified Attributes

Monday – Session 4 - F

Conference: IIW10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Kick Willemse

Notes-taker(s): Chris Obdam


A. Tags for the session - technology discussed/ideas considered: Attribute validation, AX 1.0 (1.1), Defining standard methods/levels of attribute verification, leaving the identity validation to the RP’s. OIX.

• AX - OpenID Attribute Exchange Validate Mode - draft van Google van 24 nov 2009 - http://step2.googlecode.com/svn/spec/attribute_exchange_validate/trunk/openid-attribute-exchange-validate-mode.html

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Methods of Validation

1. Self Assertion

2. Proof of possession

  • a. Challenge Response Token
      • i. Email
      • ii. Bank Account
      • iii. Mobile (SMS)
      • iv. Postal Address

3. Authentic Register

4. Official Statement

    • a. Face-to-Face
    • b. Passport
    • c. Claim

Can an attribute also be validated by a organization that did not issue the information e.g. can Stanford confirm that I am a Berkeley student?

There is need for 2 things:

1. An addition to AX for the validation information: validator, validation date and validation method/level.

2. A way to check if the validation method is executed in the right way (OIX?)

How do you handle the liability for the correctness of the information?

Follow Up Questions:

  • Will AX 1.1 support attribute verification ?
  • What Attribute schemes will be used?
    • X500
    • HCARD
    • Soap/XML
    • AX-Sreg
    • Other?
  • What are suitable attribute verification methods?
  • Open Identity Exchange OIX <> Open Attribute Exchange?